European Data Protection Board (EDPB) Letter to the European Union institutions on the protection in the anti-money laundering/combating the financing of terrorism (AML/CFT) legislative proposals

On 12 May 2022, the EDPB sent a letter to the European Union institutions (Commission, Council, European Parliament) in order to advise the EU institutions on personal data protection related to the AML-CFT framework. The recommendations made by the EDPB to the EU Commission can be summarised as follows:

• The EDPB calls on the EU institutions to involve the EDPB in the discussions on the AML legislative proposals and suggests some relevant modifications, in particular with regard to the Regulation establishing the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA Regulation).
• The AML legislative proposals should provide for additional safeguards in relation to the processing of these personal data to ensure compatibility with the provisions on the processing of special categories of personal data and on the processing of personal data relating to criminal convictions and offences of Regulation 2016/679/EU (General Data Protection Regulation – GDPR). Without further amendments, the AML legislative proposals would have a disproportionately negative impact on the rights and freedoms of individuals.
• The categories of personal data to be processed by obliged entities and additional rules that might impact their processing should not be specified in the regulatory technical standards (RTS), guidelines, and recommendations, but rather be identified directly in the AML legislative proposals.
• In terms of the processing of special categories of personal data, the provision contained in the AML Regulation which states that obliged entities may process special categories of personal data according to the GDPR provision on the processing of special categories of personal data, to the extent that this processing is ‘strictly necessary’, might not be in line with data minimisation principle, as the meaning of ‘strictly necessary’ is not specified. It may lead obliged entities to process data falling under the scope of the GDPR that are not necessarily relevant for the purpose of the AML Regulation.
• In terms of the processing of personal data relating to criminal convictions and offences, the AML Regulation states that obliged entities may process ‘allegations’. The processing of such data presents a high level of risk, as the term ‘allegations’ is not defined. Also, the impact on the person concerned could be significant. Thus, the term ‘allegation’ should be specified in the aforementioned provision of this proposal or be deleted.
• There is a need to provide additional provisions in relation to the sources of information. In order to ensure compliance with the ‘accuracy’ and ‘minimisation’ principles, as well as with the ‘accountability’ principle under the GDPR, an express reference to the obligation for obliged entities to use only accurate and reliable sources (for any processing of personal data) should be included.